Like this article? We recommend

Setting Up LDAP/SSL Client Authentication

Client authentication is desirable if you want to make sure that only
authorized clients can access the directory server. There are two authentication
steps:

SSL client authentication

LDAP BIND authentication

For SSL client authentication, the LDAP server checks the validity of the
certificate presented by the client. If the SSL client is successfully
authenticated, an LDAP BIND operation is performed. The following credentials
are accepted for this operation:

BIND DN and BIND PASSWORD (through ldapsearch options
-D and -w)

SSL Certificate's subject DN without checking the certificate

SSL Certificate's subject DN with checking the certificate

The following procedures describe how to perform password-based and
certificate-based BIND operations together with SSL client authentication.

The previous example assumes that there is a user with a DN cn=Directory
Manager. If you do not have such a user, use another DN. Check the ACIs on
the directory subtree, if the previous example fails.

Submitting a bind DN with a password is secure in the above example, since
the transmission of the credentials is protected by the encryption mechanisms
used during the SSL session.

It is assumed that you are able to get successfully authenticated by a
password-based BIND operation and an SSL client authentication.

To Use the SSL Client Certificate as Credentials Rather Than a
Username/Password Pair For the LDAP BIND Operation

There are two options:

Let the LDAP server grant or deny access based solely on the Subject
entry of the SSL certificate.

Let access be granted or denied by comparing the client's
certificate, presented during the SSL session initialization, against a
certificate which is stored in the client's LDAP entry stored in the
directory.

In both cases, the server must be able to map the information stored in the
Subject entry of the certificate to an LDAP entry. The mapping is defined in a
file called certmap.conf that resides in:

$LDAPHOME/shared/config/certmap.conf

The verifycert parameter controls what options become active. In
this example, the file contains the following entry:

A successful client authentication depends inherently on the
certmap.conf. If you have a slightly different directory information
tree, things can look different. Check
$LDAPHOME/slapd-sunshine/log/errors and
$LDAPHOME/slapd-sunshine/log/access for errors.

In order to perform an LDAP BIND operation that compares the certificates,
the LDAP server must hold the client's certificate in which the public key
is stored.

In this example, the user is called LDAP Client.

From the Sun ONE console, add the attribute usercertificate
to the user's entry (Sun ONE Console—Directory—Users—LDAP
Client—Properties (right mouse button)—Advanced—Add
Attribute).

The Add Attribute dialog opens.

To make sure that the transportation mode of the
usercertificate attribute is binary, in the Add Attribute dialog,
select the subtype Binary.

After adding the attribute, you have to add an attribute value in the
Property Editor window. Obtain the value from ~/certs/ldap-client.bin
(the file you generated in the section , "Generating an SSL Server
Certificate") in the file selector box.

Test whether the certificate can be found by submitting the following LDAP
query:

As in the previous example, map the Subject entry to an LDAP entry by
using the file certmap.conf.

Then tell the server to compare the certificate presented during the
establishment of the SSL session against the certificate stored in the
user's LDAP entry. This is done by setting the verfifycert
parameter to on. The following example contains the content of the certmap.conf
file.